Blackbone

Windows memory hacking library

Features

• x86 and x64 support

• Process interaction

• Manage PEB32/PEB64

• Manage process through WOW64 barrier

• Process Memory

• Allocate and free virtual memory

• Change memory protection

• Read/Write virtual memory

• Process modules

• Enumerate all (32/64 bit) modules loaded. Enumerate modules using Loader list/Section objects/PE headers methods.

• Get exported function address

• Get the main module

• Unlink module from loader lists

• Inject and eject modules (including pure IL images)

• Inject 64bit modules into WOW64 processes

• Manually map native PE images

• Threads

• Enumerate threads

• Create and terminate threads. Support for cross-session thread creation.

• Get thread exit code

• Get main thread

• Manage TEB32/TEB64

• Join threads

• Suspend and resume threads

• Set/Remove hardware breakpoints

• Pattern search

• Search for arbitrary pattern in local or remote process

• Remote code execution

• Execute functions in remote process

• Assemble own code and execute it remotely

• Support for cdecl/stdcall/thiscall/fastcall conventions

• Support for arguments passed by value, pointer or reference, including structures

• FPU types are supported

• Execute code in new thread or any existing one

• Remote hooking

• Hook functions in remote process using int3 or hardware breakpoints

• Hook functions upon return

• Manual map features

• x86 and x64 image support

• Mapping into any arbitrary unprotected process

• Section mapping with proper memory protection flags

• Image relocations (only 2 types supported. I haven't seen a single PE image with some other relocation types)

• Imports and Delayed imports are resolved

• Bound import is resolved as a side effect, I think

• Module exports

• Loading of forwarded export images

• Api schema name redirection

• SxS redirection and isolation

• Activation context support

• Dll path resolving similar to native load order

• TLS callbacks. Only for one thread and only with PROCESS_ATTACH/PROCESS_DETACH reasons.

• Static TLS

• Exception handling support (SEH and C++)

• Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)

• Security cookie initialization

• C++/CLI images are supported

• Image unloading

• Increase reference counter for import libraries in case of manual import mapping

• Cyclic dependencies are handled properly

License

Blackbone is licensed under the MIT License. Dependencies are under their respective licenses.